General discussion

Locked

Use of Administrator Account

By ntswil2 ·
My domain is made up of both Windows 2000 and Windows NT servers. I have a number of "System Administrators" who currently use the Administrator user account to complete tasks. I want to stop this practise. How can I restrict the use of the administrator account with out compromising its use by applications. I don't want to rename it. How can I hide this account?

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Use of Administrator Account

by BeerMonster In reply to Use of Administrator Acco ...

Hi,
Frankly, there should be no application relying on the admin account anyway. If there is, then you need to change the apps config - not just to achieve what you want to do, but because it's poor practice. Having done that, you can simply change the password, or even rename it if you want to.....

Collapse -

Use of Administrator Account

by ntswil2 In reply to Use of Administrator Acco ...

Poster rated this answer

Collapse -

Use of Administrator Account

by Sojournist In reply to Use of Administrator Acco ...

Services and applications that need the authority of an administrative account should have their own service accounts that are added to the Domain Admins group.

Service Accounts are generally given very long, complex password because they seldom change the way a user's password does. Applications like Exchange will crash on reboot if the service account password has changed since last boot.

Give your other admins their OWN accounts for administration. This will make actions auditable byindividual instead of account. It is irresponsible to have multiple admins using the same account. It removes any sense of accountability and leaves no chain of evidence in the case of misconduct.

If the domain is Win2k, you don't need to give admins the full power of Domain Admin. You can use the Delegation of Control Wizard to assign groups of administrators the rights and permissions to take specific actions on segments of the network.

For example, you can give an account admin in the Accounting Department the ability to reset passwords and update accounts in the Accounting Department only. He would have no authority over any accounts outside of Accounting, nor would he be able to create new accounts. This is done by groupingthe objects that an admin will have responsibilty for into Organization Units, then delegating specific authority over the OU to the admin. (Word to the wise: Delegate to groups, not users.)

Finally, whether or not you want to rename the account, it needs to be done. No one should be using the built-in anyway. Including you. It is the only account on the network that can be brute forced, contrary to account policies set at the domain level. Its inherent powers make it a dangerous tool.Rename it and give it a ridiculously long password.

Collapse -

Use of Administrator Account

by ntswil2 In reply to Use of Administrator Acco ...

Poster rated this answer

Collapse -

Use of Administrator Account

by tshirer In reply to Use of Administrator Acco ...

You should also apply the security fix available from Microsoft if any of the workstations are Win95. It upgrades the encryption and makes it harder to crack the pwls.

Also, if I ever need to logon to a WIN98 workstation, I never put the administration password in Windows. When it prompts, I make it blank.

Collapse -

Use of Administrator Account

by ntswil2 In reply to Use of Administrator Acco ...

Poster rated this answer

Collapse -

Use of Administrator Account

by ntswil2 In reply to Use of Administrator Acco ...

This question was closed by the author

Back to Security Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums